Written by The WSJ then went to MasterCard, who told them (accurately) that multiple layers of security are available to prevent MasterCard data from being stolen by electronic eavesdropping. They quote Art Kranzley, EVP of New Payment Technologies: “It is up to the companies that issue the card to decide which security measures to adopt… Customers who don’t want RFID in their PayPass payment cards can ask to be issued an old-fashioned chipless card”.
Despite the fact that this is a payment product with lots of security, that customers don’t have to have it and that Chase (with 7 million cards issued) say they haven’t seen any fraud, the WSJ — apparently oblivious to the fact that the ISO 14443 13.56MHz short-range PayPass interface is not the same as the EPC Class 1 915MHz long-range interface used to read retail tags, that retail tags are meant to be “open” so that anyone can read the electronic barcode, that retail tags don’t contain microprocessors and that there is no cryptography in retail tags — uncritically quotes a variety of anti-RFID sources, including the Campaign Against Supermarket Privacy Invasion and Numbering (CASPIAN),
Technorati Tags: contactless, retail
CASPIAN is run by Katherine Albrecht. I can’t see how the payments industry can placate her with spreadsheets, diagrams or anything else because she thinks that RFID chips are the Mark of the Beast from the Book of Revelation. At the beginning of a video called “The Mark of the Beast, 666: a prophesy from 2000 years ago,” from Endtime Ministries she asks “How many people (know that) technological developments of the last 10 to 20 years could be combining to make the Mark of the Beast a reality, and possibly even in our lifetimes?”
Now, whether you agree with her or not isn’t the point. Personally, I don’t, but whatever. If merchants want to record some unique biometric characteristic of shoppers (by, for example, looking at them) or would prefer shoppers to pay with something quick (a contactless debit card, for example) rather than rooting around for change, then it’s up to them. If you don’t like Tesco’s loyalty card programme, then don’t go there.
But what to do in the payments industry? What messages should we project to the media and to consumers? How can we separate consumers entirely reasonable concerns about RFID (concerns exacerbated by a lack of attention to the consumer perspective) from the different issues around contactless payments? I have a three point plan:
1. We have to stop people from referring to contactless payments cards, and contactless passports for that matter, as RFID. RFID is about tags on cans of beans. Henceforth, I will never, ever say “RFID payments” again. They are contactless, contactless, contactless payments.
2. We should tell people what security there is in contactless payment systems and how it works. The era of security through obscurity is gone.
3. Issuers should include better information about contactless and how it works (from a consumer perspective) with the new contactless cards. A consistent, and valid, complaint from consumers is that they don’t understand how contactless payment cards work. Surely this could be addressed in the mailer.
The problem is that the contactless value proposition is not strong enough to make all the other worries go away. No more lines? Everyone in front of you would have to have one too. The primary benefit of contactless is much more in the business rules than in the technology. Eliminate the need for a signature or a PIN code and transactions are all of a sudden real fast. Insert an EMV chip card into the reader, wait for the bleep, pull it out, and you’ve achieved the same benefit without the cost of a contactless card and a special reader. And it is real secure too, because you can’t manufacture a fake EMV card. I don’t get it.
“The primary benefit of contactless is much more in the business rules than in the technology”
Actually, I think I disagree with you about this. For a merchant, contactless is much quicker than cash, let alone chip or stripe without PIN or signature. It also extends the possibilities for POS into external, vending etc. I think this is why it appears to have such momentum at the moment.
I’m waiting to see how many merchants agree to pay for the contactless readers. Right now, they were pretty much subsidized for all the first phase of merchants. We’ve done lots of tests, and can’t find how contactless is faster than a normal EMV chip card transaction (minus the PIN code of course).
hmmmm interesting